apiVersion: v1
kind: Role
metadata:
  annotations:
    openshift.io/description: An application owner. Can view everything but ConfigMaps.
  name: appowner
  namespace: "{{ app }}"
rules:
{% if env == "staging" %}
- apiGroups: ["monitoring.coreos.com"]
  resources: ["alertmanagers", "prometheuses", "prometheusrules", "servicemonitors", "podmonitors"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
{% endif %}
- apiGroups:
  - "*"
  attributeRestrictions: null
  resources:
  - endpoints
  - persistentvolumeclaims
  - pods
  - pods/attach
  - pods/exec
  - replicationcontrollers
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
{% if env == "staging" %}
  - create
  - delete
  - update
{% endif %}
- apiGroups:
  - "*"
  attributeRestrictions: null
  resources:
  - appliedclusterresourcequotas
  - bindings
  - buildconfigs
  - buildconfigs/webhooks
  - buildlogs
  - builds
  - builds/log
  - deploymentconfigs
  - deploymentconfigs/log
  - deploymentconfigs/rollback
  - deploymentconfigs/scale
  - deploymentconfigs/status
  - deployments
  - deployments/scale
  - events
  - horizontalpodautoscalers
  - imagestreamimages
  - imagestreammappings
  - imagestreams
  - imagestreams/status
  - imagestreamtags
  - jobs
  - limitranges
  - namespaces
  - namespaces/status
  - pods/log
  - pods/status
  - processedtemplates
  - replicasets
  - replicasets/scale
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  - resourcequotausages
  - routes
  - routes/status
  - statefulsets
  - templateconfigs
  - templates
  verbs:
  - get
  - list
  - watch
{% if env == "staging" %}
  - create
  - delete
  - update
{% endif %}
- apiGroups:
  - "*"
  attributeRestrictions: null
  resources:
  - buildconfigs/instantiate
  - builds
  verbs:
  - create
  - update
- apiGroups:
  - "*"
  attributeRestrictions: null
  resources:
  - projects
  verbs:
  - get
- apiGroups:
  - autoscaling
  attributeRestrictions: null
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
{% if env == "staging" %}
  - create
  - delete
  - update
{% endif %}
- apiGroups:
  - batch
  attributeRestrictions: null
  resources:
  - cronjobs
  - jobs
  - scheduledjobs
  verbs:
  - get
  - list
  - watch
{% if env == "staging" %}
  - create
  - delete
  - update
{% endif %}
- apiGroups:
  - build.openshift.io
  attributeRestrictions: null
  resources:
  - jenkins
  verbs:
  - view
- apiGroups:
  - '*'
  attributeRestrictions: null
  resources:
  - daemonsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps.openshift.io
  attributeRestrictions: null
  resources:
  - deploymentconfigs/instantiate
  verbs:
  - create
